Forum Discussion
Sidra_Raza
Sep 07, 2023Brass Contributor
Entities missing in Incidents
Hello,
Entities are not showing on any of the incidents in Sentinel. Although, I have mapped the entities correctly for each alert.
I have the same alerts and entities mapping on other tenant and it shows entities there. What could be the issue?
Update: I raised the support ticket to microsoft.
Issue has been resolved by Microsoft. It was a misconfiguration from the backend.
10 Replies
- uday_KalvapalliMicrosoft Please share me ticket numner.
- TheHoff70Brass ContributorI'm following/bumping this because we have the same thing, sort of. Sentinel can stop parsing entities for 1-2 hours and then suddenly start again. Playbooks and automation rules get proper data from the incidents but no entities are displayed in the incident.
- CruzAzFormer EmployeeHi Sidra, this sounds like an issue we had last year with the old queries. I would first, make sure that you are using the latest version of the analytic rule. If you are not, it may be related to this: https://learn.microsoft.com/en-us/azure/sentinel/whats-new#account-enrichment-fields-removed-from-azure-ad-identity-protection-connector
- Sidra_RazaBrass ContributorIt's enabled already but no luck.